Upload
evolve-law
View
25
Download
0
Embed Size (px)
Citation preview
"Cyberwarfare is like a soccer game with all the fans on the field with you and no one is wearing uniforms,”
- Marshall Lytle, Chief Information Officer of the Joint Staff
PERFECTLY STATED
CHANGING DYNAMICS
Your data is more accessible today. You are only as secure as your weakest partner.
Time and Billing
Software
Case and Client
ManagementE-Discovery
Cybersecurity Software Solutions
DocumentManagement
Local Counsel
CUSTOMER DATA FLOW CHART
Integrity of data security throughout supply chain is cost of doing business across as customers demand secure vendors
Customers
Law Firm
Vendor Vendor Vendor
Communicate your security policies and procedures throughout the supply chain
Identify, quantify, and prioritize security risk related to sharing sensitive data throughout the supply chain (hardware, software, and services)
Cybersecurity
ComplianceRisk Management
CYBER SUPPLY CHAIN RISK MANAGEMENT
Phishing attach
against Fazio Mechanical
Accessing the Target
network
Gained access to vulnerable machines
Installed malware on Point of Sale
terminal
Collected credit card information
from PoS
Moved data out of Target
network
A Google search would have shown vendor portal and a list of HVAC and refrigeration companies and a Microsoft case study of Target’s architecture
40 million credit and debit cards and 70 million records of personal information
TARGET CASE STUDY
THREE PILLARS OF SUPPLY CHAIN THREATS
People / Employees
Services
Products
What employees have access to my data? Have you completed an in-depth screening of each employee?
Can you adequately protect my assets and personnel?
What technologies are used in your products? Is my data being shared with your third-parties (4th Party Risk)?
BEST PRACTICES – ROAD MAP
Identify ALL vendors in supply chain
Create the right questions based on the risk level & role of the vendor
Translate areas of risk into the contract Terms and Conditions
Catalog vendors by criticality to business
Score results and communicate with business units for transparency
1
2
Automate Reassessment to ensure compliance – enforce audit clause
6
3
5
4
CREATING VENDOR INVENTORY
Expanded definition of vendor Include all third parties that
touch your networks, components or information systems
Vendors that provide physical security and support services (executive protection, janitorial, CCTV)
Determine data access and business criticality
Tier 1
Real-time
risk
priorities Tier 2
High Criticality Business Critical Systems
Tier 3 Medium Criticality
Tier 4 Low Criticality
WHAT INFORMATION IS RELEVANT
Depending on the data access and criticality of your vendor, the security assessment should be customized to meet your firms’ policies, compliance requirements and best practices
Key Security Domains Business continuity/disaster
management Personnel security System development Application security Overall system security Network security Data security and Life Cycle
Management Access control (physical and cyber) Vulnerability management Change Management Third Party Vendors
DEVELOPING THE CONTRACT
Translate results in Terms and Conditions of contracts How the vendor should handle your data What employees should have access and background checks for new
employees Evaluation requirement of components and/or technologies used in
their products Patch update notification requirements before deployment Breach notification clauses
HOW FREQUENTLY SHOULD THIS BE COMPLETED
Baseline Security
AssessmentAnnual
ReassessmentReal-Time
Critical Updates
Ad Hoc Vendor Audits
The organization that shares the data has the ultimate right to control who has access to the data and how frequently you evaluate their security
CONCLUSION
Vendors typically need you more than you need them Complete assessments on a regular basis Require 3rd Party Risk Assessment by your vendors (your 4th party) Enforce your audit clause to validate compliance
Ensure background checks and training are completed by your vendors that have customer information
Set a policy, stick with it, and communicate to all stakeholders
CONTACT INFORMATION
Ishan GirdharChief Executive Officer
[email protected]+1 (443) 800 – 3499
www.privva.com